Talk to our experts and get more information on which certification should you take to start or advance your information security career.
CCNP Cheat Sheet - 2021 Edition
Cisco Certified Networking Professional (CCNP) is a group of certifications that prepares you for professions in the IT field. They explore the core concepts and knowledge you need to excel in your IT career. Since there are seven CCNP certifications, there is a wide range of selections for those seeking more experience, knowledge, and preparation in the workforce. The current CCNP certifications are:
- CCNP Enterprise
- CCNP Data Center
- CCNP Security
- CCNP Service Provider
- CCNP Collaboration
- Cisco Certified CyberOps Professional
- Cisco Certified DevNet Professional
With this wide range of certifications, it’s challenging to have an all-in-one cheat sheet. Yet we know how important it is to understand the material before taking the two tests to earn a CCNP certification. Our takes you even further with advanced concepts on routing and services.
Start your 30 days free trial to learn more about our CCNP training.
A CCNP certification involves one core exam and one concentration exam of your choosing. Since Cisco certifications are widely respected, you’ll have no trouble applying for your CCNP certification in the future. Names of certain CCNP certifications have changed, such as the CCNP Routing & Switching certification (changed to CCNP Enterprise), yet their relevance stays consistent with the advancement in the IT world. In this way, you’ll use what you learned far into the future while having the knowledge to adapt to future changes in the tech sector.
OSI Model for Cisco Networking
It’s important to be familiar with the OSI Model, even if you don’t use it often. It’s especially useful when working with Cisco switches and routers, which are at the Layer 2 and 3 levels. Here are items that operate at each level of the OSI model:
Layers
- Application Responsible for initiating or services the request. Examples include SMTP, DNS, HTTP, and Telnet
- Presentation Formats the information so that it is understood by the receiving system. Examples include compression and encryption, depending on the implementation
- Session Responsible for establishing, managing, and terminating the session. Example: NetBIOS
- Transport Breaks information into segments and is responsible for connection and connectionless communication. Examples: TCP and UDP
- Network Responsible for logical addressing and routing. Examples: IP, ICMP, ARP, RIP, IGRP and routers
- Data Link Responsible for physical addressing, error correction, and preparing the information for the media. Examples of data links include MAC address, CSMA/CD, switches and bridges
- Physical Deals with the electrical signal. Examples: Cables, connectors, hubs and repeaters
How to Configure a Cisco Network
A Cisco network has to be accurately configured. You’ll need the configuration modes that you’ll use when you want to configure the network. Additionally, it’s essential to know how to configure an interface, a switch management interface, and an interface in order to use DHCP for your Cisco network.
Configuration modes for Cisco networking
When maneuvering inside the Cisco IOS, you’ll see a lot of prompts, and see will change prompts change when moving from one configuration mode to the next. The following includes a summary of the major configuration modes:
User EXEC mode: Once you connect to a Cisco device, the default configuration mode is user exec mode. This mode will enable you to view settings on the device but not make changes. You can figure out whether you are in User EXEC mode when the IOS prompt displays a “>”.
Privileged EXEC mode: If you want to make changes to the device, you must navigate to Privileged EXEC mode. That’s where you might be asked to input a password. Privileged EXEC mode will show a “#” in the prompt.
Global Configuration mode: Global Configuration mode enables you to make global changes to the router, such as the hostname and other important features. To find your way to Global Configuration mode from Privileged EXEC mode, simply type “configure terminal” or “conf t” and then you’ll be placed at the “(config)#” prompt.
Sub Prompts: There are many subs prompts from Global Configuration mode you can find your way to. This includes the interface prompts to modify settings on a specific interface and the line prompts that will help you modify different ports on the device.
Configure an Interface for Cisco Networking
When you are dealing with routers and working with the management interface on switches, you will frequently have to configure network interfaces, and this will either match physical interface ports or virtual interfaces in the form of a virtual LAN (VLAN) interface.
For router interfaces, the example below will arrange speed, duplex, and IP configuration information for the interface FastEthernet 0/0 (notice the interface reference as slot/port). And for the router, the interface is facilitated using the no shutdown command in the final step. Interfaces on switches are enabled by default.\
Router1>enable
Router1#configure terminal
Router1(config)#interface FastEthernet0/0
Router1(config-if)#description Private LAN
Router1(config-if)#speed 100
Router1(config-if)#duplex full
Router1(config-if)#ip address 192.168.1.1 255.255.255.0
Router1(config-if)#no shutdown
Arrange a Switch Management Interface for Cisco Networking
For switches, allow an IP address on your management interface. Then you will use something comparable to this example. For this example, management is performed over VLAN 1—the default VLAN.
Switch1>enable
Switch1#configure terminal
Switch1#interface VLAN 1
Switch1(config-if)#ip address 192.168.1.241 255.255.255.0
Organize an Interface to Use DHCP for Cisco Networking
If you would like to configure a router or switch to retrieve its IP configuration information from a network Dynamic Host Configuration Protocol (DHCP) server, then you can use commands like the following example.
Router1>enable
Router1#configure terminal
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip dhcp
Creating a VLAN for Cisco Networking
When using your Cisco network, you might wish to separate users into different broadcast domains for better security or traffic reduction. You can perform this operation by implementing VLANs. The example below will form VLAN (VLAN2) and place the ports on a switch (from 1-12) into VLAN2.
Switch1>enable
Switch1#configure terminal
Switch1(config)#interface vlan 2
Switch1(config-if)#description Finance VLAN
Switch1(config-if)#exit
Switch1(config)#interface range FastEthernet 0/1 , FastEthernet 0/12
Switch1(config-if-range)#switchport mode access
Switch1(config-if-range)#switchport access vlan 2
If you’re combining two switches into one, then you might want to allow all configured VLANs to pass between the two switches. This can be done by implementing a trunk port. To configure port 24 on your switch to function as a trunk port, you will use the code below:
Switch1>enable
Switch1#configure terminal
Switch1(config)#interface FastEthernet 0/24
Switch1(config-if-range)#switchport mode trunk
Using EtherChannel for Cisco Networking
You can also use EtherChannel on your Cisco network. EtherChannel can allow you to take up to eight network ports on your switch and handle them as a single, larger link. This is used to connect servers with multiple network cards that are teamed or bonded to a switch—or to connect multiple switches together. There are two popular negotiation protocols, Port Aggregation Protocol (PAgP), which is a proprietary Cisco protocol. The other is Link Aggregation Control Protocol (LACP), which is an open standards protocol.
If you want to set EtherChannel to use with one of the protocols, you will organize it to support one of the below modes:
auto: This will set the interface to respond to PAgP negotiation packets. Although, the interface starts negotiations all by itself.
desirable: This will set the interface to progressively attempt to negotiate a PAgP connection.
on: The will force the connection to bring all the links back up without using any protocol to negotiate connections. This mode will only connect to another device that is set to on. When using on, the switch doesn’t negotiate the link using either PAgP or LACP.
active: This will set the interface to attempt to negotiate connections with any other LACP devices.
Passive: This will set the interface to reply to LACP data if it receives negotiation requests from any of the other systems.
The below example will help you to configure EtherChannel in order to use group ports 11 and 12 on the switch with one another using PAgP as the ultimate protocol. The same type of command will also be used on the switch, which is what Switch1 is connected to.
Switch1> enable
Switch1# configure terminal
Switch1(config)# interface range FastEthernet0/11 -12
Switch1(config-if-range)# switchport mode access
Switch1(config-if-range)# switchport access vlan 10
Switch1(config-if-range)# channel-group 5 mode desirable
Dealing with the Spanning Tree Protocol for Cisco Networking
Spanning Tree Protocol (STP) allow you to form redundant loops on the Cisco network for your fault tolerance. This will help prevent inadvertent loops that might just pop up on your network because of you bringing the network to a dead point.
The code below will help you enable the Cisco proprietary Rapid Per VLAN Spanning Tree Protocol (PVST) over the open standard of Multiple Spanning Tree Protocol (MSTP). As well as configuring STP on the switch, you will additionally configure port 2 on the switch for portfast, which will enable the port to transition immediately to forwarding mode.
Switch1> enable
Switch1# configure terminal
Switch1(config)#spanning-tree mode rapid-pvst
Switch1(config)#interface FastEthernet 0/2
Switch1(config-if)#spanning-tree portfast
%Warning: portfast should be enabled only on ports joined to a single host. Connecting concentrators, hubs, bridges, switches and more to the interface when portfast is allowed will only cause temporary bridging loops.
Use with CAUTION
%Portfast will be organized in 10 interfaces because of the range command. It will only need effect when the interfaces are in what is called the non-trunking mode.
Managing Static Routing for Cisco Networking
When you’re dealing with routers on your Cisco network, it’s possible that you’ll want to have your router's route data. In order to do this, you’re want to have your router pass data from one interface to another interface to enable routing. To do that, use the following commands.
Router1>enable
Router1#configure terminal
Router1(config)#ip routing
Regardless of whether you choose to use a dynamic routing protocol or not, you can also add static routes to the router. This will add a static route to Router1, which will send data to the 192.168.5.0/24 network by using the router with the IP address of 192.168.3.2.
Router1>enable
Router1#configure terminal
Router1(config)#ip routing
Router1(config)#ip route 192.168.5.0 255.255.255.0 192.168.3.2
Managing Routing Information Protocol for Cisco Networking
Routing Information Protocol (RIP) is used widely. Also, version 2 enables you to use Variable Length Subnet Masks (VLSM) across your entire network. The code below will allow routing, enable RIP, disable route summarization, set RIP to version 2, define the distributed network from this router as 192.168.5.0/24. Instead of broadcasting routes, it will in its place send RIP data directly to 192.168.1.1.
Router2>enable
Router2#configure terminal
Router2(config)#ip routing
Router2(config)#router rip
Router2(config-router)#version 2
Router2(config-router)#no auto-summary
Router1(config-router)#network 192.168.5.0
Router2(config-router)#neighbor 192.168.1.1
On Dealing with EIGRP for Cisco Networking
The updated version of IGRP is called the Enhanced Interior Gateway Routing Protocol. The code below will allow you to use EIGRP with an autonomous system (AS) number of 100, distribute two networks, and disable the auto-summary.
Router2>enable
Router2#configure terminal
Router2(config)#ip routing
Router2(config)#router eigrp 100
Router2(config-router)#network 192.168.1.0
Router2(config-router)#network 192.168.5.0
Router2(config-router)#no auto-summary
OSPF for Cisco Networking
Open Shortest Path First (OSPF) is a link state protocol that is popular in its use. OSPF uses the address of the loopback interface as the OSPF identifier. The following example will set the address of the loopback interface, and then it will enable OSPF with a process ID of 100, all the while distributing a network of 192.168.255.254 and a network of 192.168. 5.0/24.
Router2>enable
Router2#configure terminal
Router2(config)#interface loopback 0
Router2(config-if)#ip address 192.168.255.254 255.255.255.0
Router2(config-if)#exit
Router2(config)#router ospf 100
Router2(config-router)#network 192.168.255.254 0.0.0.0 area 0
Router2(config-router)#network 192.168.5.0 0.0.0.255 area 0
Viewing Routing Information for Cisco Networking
After setting up a routing protocol of your chouce that you want to implement—whether it is OSPF, RIP or EIGRP—you may view all of the routing information through the IP route command. In the example below, the output of this command is shown. The output also includes a legend expressing codes for each routing protocol, and particular routes are identified by the source protocol.
Router2>enable
Password:
Router2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
D 192.168.10.0/24 [90/284160] via 192.168.1.1, 00:04:19, FastEthernet0/0
O 192.168.10.0/24 [110/11] via 192.168.1.1, 00:01:01, FastEthernet0/0
R 192.168.10.0/24 [120/1] via 192.168.1.1, 00:00:07, FastEthernet0/0
C 192.168.5.0/24 is directly connected, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S 192.168.3.0/24 [1/0] via 192.168.1.1
Securing a Cisco Network
Security is a concern in every sector of IT. In the same respect as usual, just like for personal account, your Cisco network should be properly secured. The below sections show you how to secure your Cisco network by configuring NAT as well as an ACL, and by applying that ACL for improved security.
Securing Your Cisco Network by Configuring NAT
The commands below can be used to configure NAT overload services on a router that is called Router1. In the example found below, a source address list is formed in access list #1, which is then used as the inside source list. The FastEthernet 0/0 port is the overloaded public address port that all of the inside addresses get translated to.
Router1>enable
Router1#configure terminal
Router1(config)#access-list 1 permit 10.0.0.0 0.255.255.255
Router1(config)#ip nat inside source list 1 interface FastEthernet 0/0 overload
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip nat outside
Router1(config-if)#interface FastEthernet0/1
Router1(config-if)#ip nat inside
Securing the Cisco Network by Configuring an Access Control List (ACL)
ACLs are used to control traffic flow. ACLs are used to allow or to deny the flow of traffic. Here are the two main types of ACLs:
Standard ACLs have less options for classifying data and controlling traffic flow than Extended ACLs. They are only used to manage traffic based on the source IP address. Standard ACLs are numbered from 1–99 and from 1300–1999.
Extended ACLs can offer the power to filter or control traffic that is based on a variety of criteria, such as source or destination IP addresses, and also as protocol type, such as, ICMP, UDP, IP or TCP. These Extended ACLs are numbered from 100–199 and from 2000–2699.
In order to create a standard ACL, you use the example below, which will form an ACL that allows traffic for the 192.168.8.0/24 network.
Switch1>enable
Switch1#configure terminal
Switch1(config)#access-list 50 permit 192.168.8.0 0.0.0.255
In order to form an extended ACL, you can use the example below, which will create an ACL that allows traffic with addresses in the 192.168.8.0/24 network and tcp ports of either 80 (http) or 443 (https):
Router1>enable
Router1#configure terminal
Router1(config)#access-list 101 remark This ACL is to control the outbound router traffic.
Router1(config)#access-list 101 permit tcp 192.168.8.0 0.0.0.255 any eq 80
Router1(config)#access-list 101 permit tcp 192.168.8.0 0.0.0.255 any eq 443
Secure the Cisco Network by Applying an Access Control List (ACL)
After you formed an Access Control List (ACL), such as ACL 101 designed above, you can apply that ACL to an interface. In the example below, this ACL is positioned to restrict outbound traffic on FastEthernet0/1.
Router1>enable
Router1#configure terminal
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip access-group 101 out
- 224.0.0.5 all OSPF routers
- 224.0.0.6 DR and BDR routers
- Holdtime = 4 hello periods
- LAN and point to point = 10 seconds/40 seconds (mnemonic: 1OSPFour)
- NBMA = 30 seconds/120 seconds
- hello packet fields (Asterix must match for neighborship to form)
RouterID
Hello and Dead Timers*
Network Mask*
Area ID*
Neighbors
Router Priority (default 1 if set to 0 is exempted, RID breaks tie)
DR/BDR ip address (not seen on p2p or p2mp)
Authentication password *
Stub Area Flag* - Neighbor states
- Metric = 100 divided by BW in mbps
56k = 1785
64k = 1562
T1 (1.544) = 65
E1 (2048) = 48
Ethernet = 10Fast Ethernet = 1
Gigabit Ethernet = 1
Adjust per interface = router(config-if)#ip ospf cost X
Adjust under process = router(config-router)#auto-cost reference bandwidth X - LSA
1 = Generated by each router, flooded with in one area. Intra area.
2 = DR Generated. Advertises all routers plugged into same segment.
3 = Summary (ABR Summary route) flooded to Adj Areas
4 = IP address of the ASBR. Flooded to Adj Areas.
5 = External (ASBR Summary route) flooded to Adj Area (E1/E2 – E1 increments cost)
7 = NSSA Advertises routers in another domain generated by ASBR within NSSA. N1/N2 metric - Summary:
LSA3 (IA routers on ABR) metric is the lowest cost route in the range. Router ti NUll0 created for the summary. To advertise 172.16.0.0/12 from area 1;
router(config-router)#area 1 range 172.16.0.0 255.240.0.0
LSA5 (E routes on ASBR)
router(config-router)#summary-address 192.168.0.0 255.255.0.0 - Area Types
Stub – ABR blocks type 5 E LSA and replaces them with a default route
Router(config-router)#area 2 stub no-summary
Totally Stubby Area – Blocks type 3, 4 and 5 LSAs a stub area can be made toatally stubby by adding the no-summary command on the ABR;
ABR(config-router)#area 2 stub no-summary - Authentication
router(config-router)#area 0 authentication
router(config-if)#ip ospf authentication-key PLAINTEXTPW or MD5
router(config-router)#area 0 authentication message-digest
router(config-if)#ip ospf authentication message-digest
router(config-if)#ip ospf message-digest-key 1 md5 PASSWORD
Cisco Certifications
We hope you found this CCNP cheat sheet helpful in reviewing the basics of a CCNP certification. Remember that a CCNP certification involves one core exam and one concentration exam of your choosing. Since Cisco certifications are widely respected, you’ll have no trouble applying your CCNP certification in the future. Names of certain CCNP certifications have changed, such as the CCNP Routing & Switching certification (changed to CCNP Enterprise), yet their relevance stays consistent with the advancement in the IT world.
In this way, you’ll use what you learned far into the future while having the knowledge to adapt to future changed in the tech sector. With this wide range of certifications, it’s difficult to have an all-in-one cheat sheet. Yet we know how important it is to understand the material before taking the two tests to earn a CCNP certification. Although there are many CCNP certifications, this brief guide may be of use when refreshing on certain concepts when studying for an exam, such as one of the CCNP exams. If you’d like free access to over 80 self-paced courses, Start your 30 days free trial.